Why is the 'sss' backend verboten as a default IDMAP backend?

Andreas Schneider asn at samba.org
Mon Jul 17 15:21:06 UTC 2017


On Saturday, 15 July 2017 00:43:41 CEST Richard Sharpe via samba-technical 
wrote:
> On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
> 
> <realrichardsharpe at gmail.com> wrote:
> > On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <jra at samba.org> wrote:
> >> On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-
technical wrote:
> >>> Hi folks,
> >>> 
> >>> Just testing 4.7rc3 and ran into this problem:
> >>> 
> >>> ERROR: Do not use the 'sss' backend as the default idmap backend!
> >>> 
> >>> Why is that?
> >> 
> >> git blame on testparm gives:
> >> 
> >> $ git show 3de634d7a04f
> >> commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
> >> Author: Andreas Schneider <asn at samba.org>
> >> Date:   Wed Dec 7 17:44:25 2016 +0100
> >> 
> >>     s3-testparm: Print error if the default backend is incorrect
> >>     
> >>     Signed-off-by: Andreas Schneider <asn at samba.org>
> >>     Reviewed-by: Michael Adam <obnox at samba.org>
> >> 
> >> That should help you look up the patch and discussion
> >> on samba-technical archives.
> > 
> > OK, so having read the discussion I guess the issues are:
> > 
> > 1. Does sssd generate collision-free idmaps when the customer has
> > multiple domains
> > 2. Do we want to live dangerously.
> 
> I notice this in the change:
> 
> + const char *default_backends[] = {
> +                       "tdb", "tdb2", "ldap", "autorid", "hash"
> +               };
> 
> That means that the code accepts the hash backend and I think sss uses
> the same sort of scheme, so sss should be safe, it would seem.

hash is there for compatibility reasons. The hash backend should never be 
used. Sadly we can't remove it yet.

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org



More information about the samba-technical mailing list